By Daniele Catteddu, Chief Technology Officer, Cloud Security Alliance
Today, the Cloud Security Alliance has released the CSA STAR Program & Open Certification Framework in 2016 and Beyond, an important new whitepaper that has been created to provide the security community with a description of some of the key security certification challenges and how the CSA intends to address them moving forward.
As background, launched in 2011, the CSA’s Security, Trust and Assurance Registry (STAR) program has become the industry’s leading trust mark for cloud security with the successful objective to improve trust in the cloud market by offering increased transparency and information security assurance. The Open Certification Framework, also developed by the CSA, is an industry initiative to allow global, accredited, trusted certification of cloud providers. It allows for flexible, incremental and multi-layered cloud service provider (CSP) certifications according to the CSA’s industry leading security guidance.
Together the OCF/STAR program comprises a global cloud computing assurance framework with a scope of capabilities, flexibility of execution, and completeness of vision that far exceeds the risk and compliance objectives of other security audit and certification programs.
Since the launch of STAR, the cloud market has evolved and matured, and so has the cloud audit and certification landscape with now more than fifteen options including national, regional and global, sector-specific, cloud-specific and generic certification schemes available. This proliferation has resulted, in among other things, a barrier to entry for CSPs that cannot afford to get certified by multiple countries and organizations.
Aside for the time and cost of pursuing and maintaining these numerous certifications, there are a number of other concerns including:
- Lack of means to provide higher level of assurance and transparency
- Privacy not adequately taken into account
- Limited transparency
- Lack of means to streamline GRC
To address these certification challenges, the CSA is proposing, through the OCF, to offer the cloud community with both a global recognition scheme for security and privacy certification, and a set of GRC tools and practices that address the many complex assurance and transparency requirements of cloud stakeholders.
The three core ideas behind the CSA suggested solutions are that an effective and efficient approach to trust and assurance has to:
- delicately balance the need of nations and business sectors to develop their specific certification schemas with the need of CSPs to reduce compliance costs
- avoid that humans (auditors) do activities that can be performed by machines (e.g. collecting data)
- make sure that accurate and reliable evidences/information are provided to relevant people, in a timely fashion, leveraging as much as possible automatic means
The paper also outlines how a number of other frameworks and controls should play a part in this solution including:
- Leveraging CCM and OCF/STAR as normalizing factors
- Conducting continuous monitoring/auditing
Integrating privacy level agreements code of conduct into the STAR Program
The CSA is currently seeking validation for its proposed OCF-STAR program action plan and is seeking input and support from the CSA community. To become involved, visit the Open Certification Working Group.